version of vundo that won't remove with any tool tried....

Hello to all the moderators and folks that help out with these items.

Also thank you in advance and up front for your assistance.

I have a computer that appears to have vundo trojan on it. I have run combofix, malwarebytes (after renaming the binary), superantispyware, and hijackthis.

Overall, each of the first three originally found something and removed it. After reboot rundll32.exe would show thousands of times in taskmanager.

Running malwarebytes now seems to freeze each time. I have uninstalled and reinstalled and it freezes each time. combofix doesn't seem to find anything, nor superanti. hijackthis does find thousands of lines in the registry, however there isn't a select all option for the checkboxes. It would be far less work to use a select all and then unselect those items I want to keep rather than to check all of the items found to be deleted. Also, I am not confident that simply making these registry items is all that needs to be done.

This computer has freeavg on it, and of course it never identified this trojan.

I have booted into safe mode and run the tools as well as in *normal*.

I have also enabled view hidden and system files.

Additionally, I have tried using msconfig to prevent some items from starting, it seems to get re-configured with each boot (I assume by this trojan).

I have also attempted to put a thumb drive into the usb to possibly run an app from there and it will not mount.

I look forward to guidance in managing this issue, the time in so far is far more than it would have taken to format and reinstall. Common sense is telling me to do this, however if the malware can be removed safely and permanently, I'd prefer to peform the cleaning first, then a backup, then a fresh install. Backing up from this system now to do a clean install and copy files back, has the potential of bringing the same virus back depending on how it gained access the first time.

I will post results from gmer, combofix, hijackthis etc after posting this message.

Also, I have a post on bleepingcomputer as well. There have not been any replies there yet. I have gained lots of information from each of these sites, yet never actually asked for assistance before. This is the first sneaky app that has gotten the best of me and it is frustrating.


Jon

 

Hello TimW,

I will run the steps documented, as I have already printed the pages. I will also close the forum post on bleepingcomputer. I like major geeks quite a bit. The posts on this site have saved my rear on several occasions.

I shall post shortly.

Jon

 

OK, I have run superantispyware, malwarebytes, combofix, rootapeal and mgtools. The logs are being attached now.

Sorry it took so long, this system really takes some time to run malwarebytes mostly. It had some files that it reported it could not remove. I saved this pop-up to a .rtf file since I didn't see this info in the log. Therefore, there are more logs than requested.

I recieved an error due to logfile size. Therefore I am zipping the files:

combofix-log.txt:
Upload of file failed.
mbam-log-2010-03-09 (07-16-11).txt:
Your file of 1.18 MB bytes exceeds the forum's limit of 250.0 KB for this filetype.


Thanks,

Jon

 

This post is to upload the .rtf file with registry keys mwb said it could not remove.

Jon

 

Ugh, I just realized that I hadn't uploaded the mgtools file. here it is...

 

TimW,

I followed your guidance to the 't' and before sending the logs and telling you the system is rebooted. This is the ultimate test, since I have thought that I had the system clean before, would reboot and have the thousands of rundll32.exe show up again.

However, this time WOOHOO the system started up clean!


Thank you so very much for your assistance.

I have to note that prior to recieving your instructions, I looked at the .rtf file with the files malwarebytes said that it couldn't remove and went into regedit to remove them and found the whole list showing just as in your script. I backed up the registry and then deleted all of those keys. Then performed a search of the registry for khghii.dll, which did show.


Thank you so much for your assistance. I need to look through my logs and figure where you gleened the information to write the script for combofix. I'd like to be able to help others as the majorgeeks folks are doing.

I love this site, thanks again,

Jon

P.S. let me know if you would like to see the logs just for safety?

 

Hello TimW,

I had noticed that the firefox binary was missing on this system, went to iexporer and downloaded and installed firefox. Also could not get the freeavg to run that was on this system, so uninstalled and went to download a newer version. Then I found that I could no longer get on the net. Went to cmd and entered ipconfig and it returned nothing.

Went to control panel device manager and it brings up a blank screen!

I have a save of the registry from prior to the final clean-up, however I'd rather not restore a registry with the exploit in it if possible.

Has this activity ever been seen? Is this something that could be caused by the malware that appears removed?

Please advise,

Jon

 

OK, I have used system restore to bring the system back to where it was at the time of uninstalling freeavg. I now have networking up and ipconfig provides IP info, however the device manager is still a blank page.

The window has it's controls and the icons are at the top of the window for "search for new hardware", "enable", "disable" etc...

We know that there are devices and they are working, they just are not being represented by the device manager.

Any ideas what to do in this situation?

Jon

 

Hi TimW,

I also noticed that the plug and play service as well as network manager are not running. When I try to enable network services, it says that plug and play or other services are not enabled. When attempting to enable p and p, it says that another service is not enabled. I have not identified which service this may be. Still looking...

Jon

 

I think I have this working, had to enable various services all erroring with a warning that Plug and play or another service is not enabled. I finally started the plug and play service and these errors are no longer coming. I had previously changed the properties to automatic.

Jon

 

Ugh, I still have no information in the network connections window even though the network is up and the device manager is showing devices again.

Jon

 

OK, All appears fine now. I rebooted after enabling several services that were disabled. Sure I could have started them manually, however I wanted to make sure the system would start everything as necessary. There were many services not enabled, from network connection manager to plug and play to com and com+ and print spooler.

I don't have another XP system to compare the list to, however I would like to make sure that I both have running those services that should be and don't have those that are not necessary. I went by intuition.

Jon

 

Hi TimW,

I no longer have this system, it has been delivered back to the person I was helping. There were several services that were disabled, I went through and changed them to auto. Upon reboot everything appears fine.

Most important, the vundo is not starting the rundll32.exe processes as before.

Thank you very very much for your assistance,

Jon